X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=ONAP-SDK-APP%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fportalapp%2Ffilter%2FSecurityXssFilter.java;fp=ONAP-SDK-APP%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fportalapp%2Ffilter%2FSecurityXssFilter.java;h=9843f604ad758c11c356f25282d45b5b4060a967;hb=428150834ee60899b9a8da019bae3c8bf009adf1;hp=0000000000000000000000000000000000000000;hpb=775f45908025e46a40c9c147fca2066af5c8c5b8;p=policy%2Fengine.git diff --git a/ONAP-SDK-APP/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ONAP-SDK-APP/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java new file mode 100644 index 000000000..9843f604a --- /dev/null +++ b/ONAP-SDK-APP/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -0,0 +1,90 @@ +/*- + * ================================================================================ + * ONAP Portal SDK + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ================================================================================ + */ +package org.onap.portalapp.filter; + +import java.io.IOException; +import java.io.UnsupportedEncodingException; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringUtils; +import org.onap.portalapp.util.SecurityXssValidator; +import org.springframework.web.filter.OncePerRequestFilter; +import org.springframework.web.util.ContentCachingRequestWrapper; +import org.springframework.web.util.ContentCachingResponseWrapper; +import org.springframework.web.util.WebUtils; + +public class SecurityXssFilter extends OncePerRequestFilter { + + private static final String BAD_REQUEST = "BAD_REQUEST"; + + private SecurityXssValidator validator = SecurityXssValidator.getInstance(); + + private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException { + String payload = null; + ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); + } + } + return payload; + } + + private static String getResponseData(final HttpServletResponse response) throws IOException { + String payload = null; + ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response, + ContentCachingResponseWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); + wrapper.copyBodyToResponse(); + } + } + return payload; + } + + @SuppressWarnings("unused") + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws ServletException, IOException { + + if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) { + + HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request); + HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response); + filterChain.doFilter(requestToCache, responseToCache); + String requestData = getRequestData(requestToCache); + String responseData = getResponseData(responseToCache); + if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { + throw new SecurityException(BAD_REQUEST); + } + + } else { + filterChain.doFilter(request, response); + } + + } +}